Integer Overflow in ValidatorSet.VerifyCommitTrusting #4755
Description
There is a possible integer overflow when calculating needed inside VerifyCommitTrusting: https://github.com/tendermint/tendermint/blob/master/types/validator_set.go#L769
Assume that the verifying client provides a trustValue of 17/51 and a commit that has zero valid validator signatures. Since TotalVotingPower and Numerator are Go int64 types, the computation (vals.TotalVotingPower() * trustLevel.Numerator) will overflow, returning the value −8646911284551352337. The needed value therefore evaluates to −169547280089242202. Zero validator signatures successfully verified, therefore talliedVotingPower is 0. 0 > votingPowerNeeded, thus the commit will successfully verify despite not meeting the trust requirements and containing zero validator signatures.
Recommendation is to use safe arithmetic to compute votingPowerNeeded (similar to safeAdd and safeSub) and to return an error if an overflow occurs.
via the light client audit